The Dutch Tax and Customs Administration has violated the core principles of the EU General Data Protection Regulation (GDPR) by collecting and processing the data of more than a quarter of a million Dutch citizens when there was no legal basis for using the data.
Autoriteit Persoonsgegevens, the Dutch Data Protection Authority (DDPA), launched an investigation into the Tax and Customs Administration following complaints about its data processing activities related to the use of a fraud management system called the Fraud Signaling Facility (FSV). The FSV contained the personal data of Dutch taxpayers and was used to identify fraudsters, with individuals added to a blacklist if they were found guilty of tax fraud or if they were suspected of fraud that had not been proven.
The FSV system could be accessed by a wide range of employees in several divisions of the Tax and Customs Administration and had been in place for several years prior to the May 25, 2018, GDPR compliance date. The FSV was eventually retired in 2020, after several media reports criticizing the system.
When individuals were added to the blacklist they were placed under intensive supervision by the Tax and Customs Administration; however, many of the individuals on the list were unaware that their data had been collected, processed, and used for that purpose. Individuals on the blacklist had no way of defending themselves against allegations of fraud, and could not be removed from the list. The FSV included data collected by the Tax and Customs Administration, but also data drawn from other external sources.
The DDPA analyzed data in the system and discovered it contained inaccurate, out-of-date information that was often unrelated to potential fraud. The system, which also included the personal data of minors, was used by the Tax and Customs Administration without legal basis and a defined purpose for several years.
The Tax and Customs Administration has been notified about the findings of the investigation and allowed to respond. A decision has yet to be made about whether the GDPR violations warrant a financial penalty.
This is not the first time the Tax and Customs Administration has been discovered to have violated the GDPR. The DDPA had previously determined the personal data of individuals with dual nationality were being used illegally, with those individuals discriminated against with respect to child benefit applications. In that case, the data of 1.4 million individuals with dual nationality were stored in its systems when the GDPR took effect, when the dual nationality data should have been deleted in January 2014 and should never have played a role in the assessment of childcare benefit applications.